Researchers say they have uncovered a takedown-resistant botnet of 14,000 routers and other network devices—primarily made by Asus—that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime.
The malware—dubbed KadNap—takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days in the operation.
A botnet that stands out among others
The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.
“The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. “Their intention is clear: avoid detection and make it difficult for defenders to protect against.”
Distributed hash tables have long been used to create hardened peer-to-peer networks, most notably BitTorrent and the Inter-Planetary File System. Rather than having one or more centralized servers that directly control nodes and provide them with the IP addresses of other nodes, DHTs allow any node to poll other nodes for the device or server it’s looking for. The decentralized structure and the substitution of IP addresses with hashes give the network resilience against takedowns or denial of service attacks.
The concept of DHTs can be hard to grasp. At a simplified level, they are data structures stored on multiple network peers, as described here. This design makes the network scalable. The more network nodes, the better the distribution of elements is. DHTs also make networks fault-tolerant. When one node leaves the network, nodes go elsewhere for location lookups. In theory, the only way to take the network down is to sever all connected nodes.
Kademlia uses a 160-bit space to designate (1) keys—which are unique bitstrings derived by hashing a chunk of data—and (2) node IDs, both of which are assigned to each node. Nodes then store the keys of other nodes. The stored keys are organized by their similarity to the ID of the node storing them. Proximity is measured by XOR distance, a mathematical means of mapping a network. When a node polls another node, it uses this metric to locate other nodes with the closest distance to the key it’s looking for until it finally finds a match. KadNap, a variant of Kademlia, obtains the key to be searched through a BitTorrent node.
Formosa explained:
DHT helps you get closer and closer to a target. You first reach out to some entry bittorrent nodes and basically say “hey I have this secret passphrase. I’m looking for who to give it to.” So you give it to a couple of nearby “neighbors” and they say “ah ok I don’t fully understand this passphrase but it’s kind of familiar and here are some people who may know what that means. So now you go to those neighbors and the process continues. Eventually you reach someone who says “Yes! This is my passphrase, welcome in.” In our case, when we reach this person they say here is a file to firewall port 22 and then here is a second file containing the C2 address you want to connect to.
Despite the resistance to normal takedown methods, Black Lotus says it has devised a means to block all network traffic to or from the control infrastructure.” The lab is also distributing the indicators of compromise to public feeds to help other parties block access.
Infected devices are being used to carry traffic for Doppelganger, a fee-based proxy service that tunnels customers’ Internet traffic through the Internet connections—primarily residential—of unsuspecting people. With high bandwidth and IP addresses with clean reputations, the service provides customers with a reliable way to efficiently and anonymously visit sites that might otherwise not be accessible.
People who are concerned their devices are infected can check this page for IP addresses and a file hash found in device logs. To disinfect devices, they must be factory reset. Because KadNap stores a shell script that runs when an infected router reboots, simply restarting the device will result in it being compromised all over again. Device owners should also ensure all available firmware updates have been installed, that administrative passwords are strong, and that remote access has been disabled unless needed.
